Formatting: add a new 'safe_style_disallowed_chars' filter.

Enable developers to change the regex used in `safecss_filter_attr` to limit characters in the parsed CSS.

Props paulschreiber, swissspidy, rmccue, bartekcholewa, miinasikk.
Fixes #37134.


Built from https://develop.svn.wordpress.org/trunk@47891


git-svn-id: http://core.svn.wordpress.org/trunk@47665 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/kses.php

@@ -2301,13 +2301,24 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 			}
 		}
 
-		// Remove any CSS containing containing \ ( & } = or comments, except for url() useage checked above.
+		if ( $found ) {
-		if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) {
+			/**
-			if ( '' !== $css ) {
+			 * Filters the regex limiting the list of characters not allowed in CSS rules.
-				$css .= ';';
+			 *
+			 * Default behaviour is to remove any css containing \ ( & } = or comments, except for url() usage.
+			 *
+			 * @since 5.5.0
+			 *
+			 * @param string $regex           Regex pattern of disallowed characters in CSS rules. Default is '%[\\\(&=}]|/\*%'.
+			 * @param string $css_test_string CSS value to test.
+			 */
+			$disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string );
+			if ( ! preg_match( $disallowed_chars, $css_test_string ) ) {
+				if ( '' !== $css ) {
+					$css .= ';';
+				}
+				$css .= $css_item;
 			}
-
-			$css .= $css_item;
 		}
 	}
 

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.5-alpha-47889';
+$wp_version = '5.5-alpha-47891';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.